Best Practice For Closing a Server Down

  1. I have upgraded to a new server and I am about to close down the old server.
  2. The old server has 30+ certificates on it.
  3. How should I tell Certbot to forget the old certificates?
1 Like

I'm not sure what you mean with "tell Certbot to forget the old certificates". What is your train of thought behind the "forgetting" part of that sentence? Is that purely "locally" on the server or did you imagine something "remote" at Let's Encrypts servers?

Also, are you going to completely wipe the old server? Or is it going to be repurposed without the need for Certbot? Or do you still require Certbot, but without the old certificates?

1 Like

Hi @AdrianSmithUK

if you delete the Certbot config files (per certificate), Certbot doesn't know what to renew.

But if that old instance isn't longer used (OS destroyed, jobs destroyed), there is nothing that could work.

You can use certbot delete to delete some certificates. But if you remove all, that's not required.

PS: Certbot <> Letsencrypt.

1 Like

I have moved to a new server.

All of the domains that were on the old server have been transferred to a new server and have new certificates and are functioning correctly.

I have just received a reminder to update the certificates that were on the old server.

The old server (actually an EC2 instance) will be turned off and there will be no chance to notify Certbot of anything from that server.

Is there something I should do to delete or revoke the old certificates before I close the server down, or should I just let Certbot think that these certificates are still in use.

I would have thought that the later approach would leave the Certbot database messy and would unnecessarily add extra load to your servers.

1 Like

But certbot is just an application on that same server, right? What certbot do you mean otherwise?

  • Revoking is only necessary if the server and/or private keys are somehow compromised. I.e., your server has been hacked, the private key has been leaked et cetera. There might be some situations in where you don't actually own the domain any longer and the Let's Encrypt policy says you should revoke the cert, but that's not applicable in this situation I think
  • You haven't answered my question regarding how you're disposing of your old server: is it going to be reused? Is it going to be wiped? If you're wiping/removing the entire storage of the old server, there is no need to also remove the locally stored certificates: the wipe will take care of that too, right?

As said, certbot is most likely a locally running application. What and how would you "let certbot think" anything? I don't understand what you're saying here.. Or are you running certbot on a different server than the actual server on which the certificates were used?

Which "certbot database"? You probably mean the "Let's Encrypt database"? Once a certificate has been issued, all the resources spend at that moment and the future expenses are set: revoking or deleting doesn't matter. All OCSP signatures need to be signed anyway, even if the cert is locally deleted or revoked.

1 Like

You are mixing Certbot (the client you use) with Letsencrypt (the CA you use).

There is no centralized Certbot database.

And If you have renewed the certificates, Letsencrypt doesn't know something about your old server.

So there exists no problem.


You are right. I am mixing up Certbot and Letsencrypt. I thought it would be kind to the Letsencrypt server to let it know that I have deleted that server and that the certificates wouldn't need renewing. I will just destroy the instance and forget about it.

Kind Regards,


There's no such feature. For example, you'll still get an email warning you to renew even if you've deleted the certificates and don't need them any longer.

1 Like

Yes, that's enough. Then you have deleted the private keys, revoking isn't required.


That's the best practice!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.